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Abstract. The Epistemic Halpern-Shoham logic (EHS) is a temporal- 
epistemic logic that combines the interval operators of the Halpern- 
Shoham logic with epistemic modalities. The semantics of EHS is based 
on interpreted systems whose labelling function is defined on the end¬ 
points of intervals. We show that this definition can be generalised by 
allowing the labelling function to be based on the whole interval by means 
of regular expressions. We prove that all the positive results known for 
EHS, notably the attractive complexity of its model checking problem for 
some of its fragments, still hold for its generalisation. We also propose the 
new logic EHS re which operates on standard Kripke structures and has 
expressive power equivalent to that of EHS with regular expressions. We 
compare the expressive power of EHS re with standard temporal logics. 


1 Introduction 

Model checking is a leading technique in automatic verification. The model check¬ 
ing problem consists of establishing whether a property, expressed as a logical 
formula, holds on a system, represented as a model el Model checking has 
recently been studied in the context of interval temporal logic [221124] . In this 
context temporal specifications consist of formulas expressing properties of in¬ 
tervals rather than states as it is traditionally the case in temporal logic. 

Interval temporal logic has a long and succesful tradition in Logic in Com¬ 
puter Science. The logics ITL m, defined by Moszkowski, and HS EL defined 
by Halpern and Shoham, are the most commonly used formalisms. ITL suffers 
from the high-complexity of its model checking problem which is non-elementary- 
complete EEL In this paper we focus on HS as the basic underlying framework. 
HS is a modal temporal logic in which the elements of a model are pairs of 
points in time, or intervals. For an interval [p, q] it is assumed that q happens no 
earlier than p , but no assumption is made on the underlying order, which can 
be discrete, continuous, linear, branching, etc. 

Traditionally, twelve modal operators acting on intervals are defined in HS. 
They are: A (“after/meets”), B (“begins”), D (“during”), E (“ends”), L (“later”), 
O (“overlaps”) and their duals: A, B,D,E,L, O. Some of them are redundant; 
for example, B and E can define D (a prefix of a suffix is an infix) [141115] . 

The analysis of HS and its fragments is traditionally limited to its satisfia¬ 
bility problem. This is known to be undecidable in general mmh, even when 
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HS is restricted to its unimodal fragments [9]. Notable decidable fragments are 
the AA fragment with length constraints [7], the ABBL fragment [26], and the 
recently identified Horn fragment [4j. Some fragments are decidable only over 
some particular classes of orderings. For example, the BBDDLL fragment was 
shown to be decidable over the class of all dense orders WL while the D frag¬ 
ment is undecidable over discrete orders [25]. The same logic becomes decidable 
if one assume that an interval is its own infix [29]. While a wealth of results have 
been put forward, open questions remain. For example, the decidability of the 
D fragments over the class of all orders is currently open. 

The logic EHS. In applications, temporal logics often appear in combina¬ 
tion with other modalities expressing other aspects of the system or its compo¬ 
nents. A notable example is temporal-epistemic logic [16] where the knowledge 
of the components, or agents, is assessed from an information-theoretic point 
of view. Temporal-epistemic logic is widely explored in applications, including 
security; dedicated model checkers have been released |Tt[2ll23| . 

In the traditional approach, the underlying temporal logic is state-based, 
either in its linear or branching variants. A notable exception to this is the 
Epistemic HS logic (EHS) [22], which consists of a combination of epistemic 
modalities with the interval-based temporal logic HS. EHS combines all the HS 
interval-temporal modalities with standard epistemic modalities: A',; (“agent i 
knows that”) and Cr (“it is a common knowledge in group of agents A that”). 
The logic EIT, a simple fragment of EHS where only epistemic modalities are 
allowed, but modalities are interpreted on intervals rather than points, has been 
shown to be PSPACE-hard. Model checking of the AAA-fragment of EHS with 
epistemic operators is PSPACE-complete. Finally, in [24] it was shown that the 
ABL fragment of EHS has a decidable model checking problem. 

The labelling function in the structures considered in [22] is defined on the 
endpoints of the intervals. This corresponds to the intuitive representation of 
intervals as pairs and is often adopted in the literature. However, other choices 
are possible. For example, [28] considers the labelling for an interval as the inter¬ 
section of the labelling of all its elements. We argue that even more expressive 
setups are required. 

Assume, for example, that we need to label a whole process of printing by 
means of the propositional variable printing. By adopting [28] . by labelling the 
process with printing, it would follow that every subinterval would need to be 
labelled with printing too. This may not correspond to our intuition. 

Similarly, if we were to adopt a labelling based on endpoints, and S ( E ) is 
the state where printing starts (ends, respectively), it would follow that all the 
intervals starting in S and ending in E have to be labelled with printing. But 
if more than one process is present, it follows that the interval starting at the 
beginning of the first process and ending at the end of the second one is also 
labelled with printing, which, again, may be against our intuition. 

This is just a simple example (we explore more significant ones in Section 2]); 
but it suggests that more liberal labellings imposing no such constraints are 
called for in this context. From a theoretical standpoint, it is of interest to 
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generalise previous labelling approaches and assess the impact these have on the 
decidability of the model checking problem. We are not aware of any previous 
attempt in this direction in the context of any HS logic. 

printing printing 

V_ _ s 

printing 


Contribution. We put forward a generalisation of the labelling functions 
independently proposed in |22] and [28]. The novel labelling is defined by using 
regular expressions based on the states of the whole interval. For example, the 
process of printing from the example above can now be modelled by using the 
regular expression S-<E*E. The models that result from this labelling are here 
called interpreted systems with regular labelling, ISRL for short. We study the 
logic EHS + , sharing the syntax of EHS, but interpreted over ISRL, and show 
that it enjoys all the positive results known for EHS. 

In order to be able to express properties of standard point-based models, 
and formally characterise the expressive power of EHS + , we also define and 
study the logic EHS re . Intuitively, EHS re can be seen as the result of moving 
the regular expressions from the labelling function to the atomic propositions. 
We show polynomial time reductions between the model checking problems for 
EHS re and EHS R and characterise the expressive power of the former. 

Related work. Initial results for the model checking of HS and some of its 
variants have appeared recently |221I241[2%] . The results of this paper generalise 
those presented in [221124] . Our setting is more expressive than [22] and further 
benefits from the fact that many properties become easier to express. 

Note that ITL does allow for regular expressions to be used. Unlike EHS re , 
where regular expressions can be used only for propositions, in ITL they can be 
used for any subformula. However, ITL expresses properties of a single interval, 
while EHS re can express properties of different branches. Furthermore, HS en¬ 
joys several fragments, such as the BDE one, with a computationally attractive 
model checking problem. This may be of particular use in applications. 

Two further formalisms that are related to EHS re are PDL m and its 
linear counterpart LDL [T2j. An epistemic version of PDL, E-PDL, was proposed 
in [5], However, epistemic modalities in E-PDL are interpreted on points, not 
intervals as in EHS and EHS re . This is largely the reason why EHS re is more 
expressive than E-PDL and the model checking problem for E-PDL is decidable 
in polynomial time [20], whereas the model checking problem for EIT is already 
PSPACE-hard. Notice also that E-PDL does not have backward modalities and 
can express properties of actions, unlike EHS re . 

Results on the correspondence between regular expressions and HS were pre¬ 
sented in [27], where it was shown that each w-regular language can be encoded 
in the ABB fragment of HS. The encoding, however, uses additional proposi- 
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tional variables to label interval, and therefore cannot be used for the model 
checking problem. 

2 Interpreted systems with regular labelling 

We begin by recalling the notions of regular expressions. Given a set X, the set 
of regular expressions over X, denoted by REx, is defined by the following BNF: 

e ::= 0 | e | s | e;e | e + e | e* 

where s G X. We allow parentheses for grouping and often omit the concatena¬ 
tion symbol 

For each regular expression e, let Lang(e) stand for the language denoted by 
e. Formally, Lang{$) = 0, Lang{e) = {e}, Lang{s) = {s}, Lang{e i;e 2 ) = {w\W 2 \ 
w i G Lang{e\)Aw 2 G Lang{e 2 )}, Lang{e 1 + 62 ) = Lang (ei)U Lang{e<i), and Lang(e*) 
is the smallest set containing e such that for all w\ G L(e) and W 2 G Lang{e*), 
W 1 W 2 G Lang{e*). 

Now we generalise interval-based interpreted systems |22| to systems with 
labelling based on regular expressions. 

Definition 1 . Given a set of agents A = {0,1,...,to}, an interpreted sys¬ 
tem with labelling on regular expressions, ISRL for short, is a tuple IS = 
{{Li, 1°, ACTi, Pi,ti}i €A , A), where: 

— Li is a finite set of local states for agent i, 

— li G Li is the initial state for agent i, 

— ACTi is a finite set of local actions available to agent i, 

— Pi : Li 2 AC Ti 

is a local protocol function for agent i, returning the set of 
possible local actions in a given local state, 

— ti C Li x ACT x Li, where ACT = ACTq x • • • x ACT m , is a local transition 
relation returning the next local state when a joint action is performed by all 
agents on a given local state, 

— X : Var —> REq is a labelling function, where G = Lq x Li x • • • x L m is the 
set of global configurations and Var is a finite set of propositional variables. 

Agent 0 is often called the environment. 

We now define models of an IS on sets of paths from its initial configuration. 
Let t G CG 2 be a relation such that t G {{I q, ... ,l m ), {1' 0 ,... ,l' m )) iff there exists 
a joint action (ao,... ,a m ) G ACT such that for all i we have G Pi{h) and 
ti{li, {a 0 ,..., a m ), li). 

Definition 2. Given an ISRL IS = {{Li,l®,ACTi,Pi,ti}i<zA,\) over a set of 
agents A = {0,..., to}, the model of the IS is a tuple M = {S, So > ti {~i}i£j4; A), 
where 

— S C G+ is the set of global states, i.e., non-empty sequences go ■ ■ ■ gk such 
that go = {Iq, ..., land for each i < k we have t G {gi, gi+i), 
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— So = go = (£§) ■ ■ • fm) * s the initial state of the system, 

— t C S 2 is the global transition relation such that t{go ■ ■ ■ gk , g'o ■ ■ ■ g[) Iff l = 
k + 1 and for all i < k we have gi = g[, 

— ~jC S 2 is the equivalence relation such that go... gk g' 0 ... g[ iff gk = 
(lo, * * *, lm), g t = (Iqi • * • j lm) 1% = 1%, and 

— X is the labelling function. 

Intuitively, S denotes the set of global configurations of the ISRL equipped 
with information about all their predecessors. This is the standard construction 
used for defining unravelling in temporal logic (see, e.g., Definition 4.51 in [5]). 
We need to keep the information regarding the predecessors for the semantics of 
backward modalities; the semantics of the epistemic modalities is defined only 
on the current state. 

Given a model M, an interval in M is a finite path on M, i.e., a sequence 
of states I = s\,s 2 , ■ • • ,s n such that t(si,Si+i), for 1 < i < (n — 1). A point 
interval is an interval that consists of exactly one state. We assume pi(I) = T 
for a point interval I and pi(I) = T for all the other intervals. 

For each state of s = go, ■ ■ ■, gk £ S, we assume g(s) = gk- So g(s) denotes 
the actual states of s, not its history. We extend g to intervals by assuming 
g (I) = g(s 0 ) ■ • ■ g(sfc) for every interval I = s 0 ,... ,s k - 

We say that an ISRL is point-based if A only labels the point intervals, i.e., 
for each v £ Var we have X(v) = X^sgS' s ^ or some S' C S. An ISRL is endpoint- 
based if A is defined on the endpoints of the intervals, i.e., for each v £ Var we 
have X(v) = SsgS , ( s + s ‘^* s ) + S( s , s ')gp s ^* s ' f° r some S’ C S, P C S' 2 \{(s, s ) | 
s £ S}. Notice that the models of the point-based ISRL can be seen as standard 
Kripke structures; the models of the endpoint-based ISRL can be seen as the 
generalised Kripke structures of |22| . 

For g = {lo,h,...,l m ) we denote by Ifg) the local state /,; £ Li of agent 
i £ A in g. For a global state s = go, ■ ■ ■ ,gk, we assume h(s) = h(gk)- 

Now we give an example of an interpreted system and of its model. We will 
use this example in the following sections to illustrate other constructions. 

Example 1. Consider an ISRL IS ex = {{Li, if , ACTi, Pi,L}i e A, A)) over a set of 
agents A = {0,1} and a set of propositional variables Var = {p}, where 

— Lo = Vo}, L i = {li,l2,h}, 

— $ = 10 , 10 = 1 !, 

- ACT 0 = { ai ,a 2 }, ACT, = {e}, 

- P 0 {lo) = ACTo, Pi{h) = Pi(l 2 ) = Pi{h) = ACT x , 

- to = {{lo, {ai,e),lo), {lo,{a 2 ,e),lo)}, t\ = {(Zi, (or, e), l 2 ), {l±, {a 2 , e),l 2 ), 
{l 2 ,{a 2 ,c),h), (l 2 ,(ai,e),h), (Z 3 , (ai, e), Zi), (Z 3 , (a 2 , e), h)}, 

~ X{p) = gi{gi + g 2 )*go, where ^ = {l 0 , k). 

Figure [H depicts the agents of IS. We have G = {< 71 ,( 72 , 33 } and t G = {((/ 0 ,/i), 
{lo,h)),{{lo,l 2 ),{lo,h)),{{lo,l 2 ),{lo,h)),{{lo,h),{lo,h))}- The model M ex of IS e , 
is infinite. Its fragment is depicted in Figure [2] 
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Oi,e) (*, e) 



Fig. 1: The agents from Example [Q where * stands for any action. 



Fig. 2: A fragment of the model of IS ex from Example|T| Ji, / 2 and I 3 are labelled 
by p, as g(/i) = g(/ 2 ) = gi 9293 and g(/ 3 ) = 3132515253 belong to Lang(X(p)). 


I-1 


Fig. 3: Basic Allen relations. 


IRaI' iff fifst(I') = last(I) 

IRbI' iff / = I'li for some interval /1 

IRdI' iff I = IiI'R for some intervals /i ,/ 2 

IReI' iff / = III' for some interval Ii 

IRlI' iff there is a path from last(I) to first(I') 

IRqI' iff Hi = I 2 I' for some intervals /i ,/ 2 


3 The logic EHS+ 

We now define the syntax of the specification language we focus on in this 
paper. The temporal operators represent relations between intervals as originally 
defined by Allen [3]. Six of these relations are presented in Figured] Ra (“after” 
or “meets”), Rb (“begins” or “starts”), Rd (“during”), Re (“ends”), Rl (“later”), 
and Ro (’’overlaps”). Six additional operators can be defined corresponding to 
the six inverse relations. Formally, for each X £ {A, B, D, E, L,0}, we also 
consider the relation R^, corresponding to Rx~ ■ 

For convenience, we also consider the “next” relation Re such that IR^I' iff 
t(last(I), first(I')) [24]. Let H§ = {A, A, B, B, D, D, E, E, L, L , N, N, 0, 6 ). 

Definition 3. The syntax of the Epistemic Halpern-Shoham Logic (EHS + ), 
T-EHS+ defined by the following BNF. 

y:-.= pi\p\^ip\y/\g>\ Kgp \ C r ip \ (X)tp 

where p £ Var is a propositional variable, i £ A is an agent, r C A is a set of 
agents, and X £ HUS. 
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We use abbreviations including [X]p for -■ (X)-np and the usual Boolean 
connectives V, =>-, ■<=>■ as well as the constants T, _L in the standard way. 

Note that the modality (N) is a counterpart of the EX operator of CTL. 
While (N) is redundant in EHS + since (N)p = (A)(-<pi A (B)(B)A. A (A)p), it 
is useful in fragments of EHS + that do not contain B and E. 

In order to provide the semantics for the epistemic operators on an interval 
based semantics, we specify when two intervals are epistemically indistinguish¬ 
able for an agent, i.e., an agent cannot distinguish between the two. We say that 
I V, where I = s 1 ,..., Sk, I' = s^,..., s[, iff k = l and for all j < k we 
have Sj s' j. In other words, for two intervals to be indistinguishable to agent 
i the two intervals need to be of the same length and the agent cannot be able 
to distinguish any corresponding point in the interval. This appears the natural 
generalisation to intervals of the point-based knowledge modalities traditionally 
used in epistemic logic m ■ For example, in the model presented in Example [I] 
we have I I' if and only if |/| = |/'| and I ~i I' if and only if I = in 
general these relations may be more complicated. We extend this definition to 
the common knowledge case by considering ~i)*, for any group of 

agents T C A, where * denotes the transitive closure. For further explanations 
we refer to |22| . 

We now define when a formula is satisfied in an interval on an ISRL. 

Definition 4 (Satisfaction). Given an EHS + formula p, an ISRL IS, its 
model M = (S, sq, t, A) and an interval I, we inductively define whether 

p holds in the interval I, denoted M, I \= ip, as follows: 

(i) M, I \= pi iff I is a point interval, 

(ii) M, I |= =p iffg(I) G Lang(\(p)), 

(Hi) M, I |= -i ip iff it is not the case that M, I \= f, 

(iv) M, I \= ipi A ip 2 iff M, I \= ipi and M , I \= ip 2 , 

(v) M, I |= Ki<p, where i £ A, iff for all I' / we have M, I' |= ip, 

(vi) M, I \= Crf, where r C A, iff for all I' ~r I we have M,V |= ip, 

(vii) M, I )= {X)ip iff there exists an interval I' such that IRxI' e,nd M, I' |= ip, 
where Rx is an Allen relation as above. 

We write IS, I \= ip if M, I \= tp, where M is the model of IS, and IS \= p 
if IS, s 0 (= p. 

4 Expressive power 

The expressivity of EHS + is incomparable to that of traditional formalisms such 
as LTL, CTL, or EHS as EHS + is defined on different semantics structures. To 
investigate its expressive power, we introduce EHS re , a variant of EHS + defined 
over point-based interpreted systems. We show that the model checking problems 
for EHS re and EHS + admit a polynomial time reduction to one another on the 
corresponding semantics. We also observe that EHS re can represent properties 
not expressible by CTLK*, the epistemic version of CTL* (and therefore LTLK 


and CTLK). So, intuitively, there is a sense in which EHS + is indeed more 
expressive than the usual temporal-epistemic logic interpreted on points. 

For a labelling function A and a regular expression r, let A o r be the reg¬ 
ular expression obtained from r by replacing each propositional variable p by 
EgeA(p) 9 (if A (p) = 0, we put 0). 

Definition 5. The language of EHS re , C ehs re, is defined as follows: 

ip::=pi\r\^y\ip/\y \ Kpp \ C r <p \ (X)tp 

where r £ RE 2 var, i £ A, T C A, and X £ HS. 

The semantics of EHS re results from replacing the second rule in Definition 
@ by (ii’) M,I \= r iff I = si,... ,Sk and g(si).. .g (s fc ) £ Lang( A o r). 

Intuitively, EHS re is the result of adapting EHS + by moving the regular 
expressions from the labelling function into the language. 

For convenience, we allow to use p and ->p in the regular expressions, by 

defining p = XEc Var, P GX -A and ->p = J2xcvar, P gx A- 

Let L var be the set of all the possible labellings of interpreted systems with 
variables of Var , and L p f ar C Ly or be the set of all such labellings for point-based 
interpreted systems. 

Theorem 1. There exist polynomial time computable functions f : Ly ar x 
HEHS+ * ^Var * ^~'EHS^ E and f : Ly Qr X T- E hsRE —^ ii - 1 Var x ^EHS+ Such 
that for any interpreted system IS = ({Li, 1®, ACTi, Pi, ij}igA, L), any formula 
ip and any interval I: 

1. If IS, I |= ip and f(L,ip) = ( L',ip'), then IS 1 = ({Li,if , ACT,, Pi,ti} ieA , L') 
is point-based and such that IS',1 |= ip'. 

2. If IS is point-based, IS, I \= ip, and f'(L,ip) = (L',ip'), then we have that 
({Li, if, ACT ,, Pi, U} ieA , L'), I\=ip'. 

Given Theorem [T] we can say that the logics EHS + and EHS re can de¬ 
scribe the same properties of corresponding interpreted systems. Since EHS re 
expresses properties of point-based interpreted systems, whose models are stan¬ 
dard Kripke structures, we can formally compare the expressive power of EHS re 
to that of some more widely known formalisms. 

Definition 6. Given two logics £i,£ 2 , we write C\ C £ 2 if for each formula 
ipi of C\ there is a formula p 2 of £2 such that for all point-based ISRL we have 

IS \= ipi iff IS \= ip 2 . 

One can easily show that EHS re % CTLK*. Consider the temporal prop¬ 
erty “all the paths starting in the initial state satisfy (p; True)"”. This property 
cannot be expressed in CTLK* [32]. However, the property can be verified by 
evaluating the EHS re formula pA [A]((p; T)* =>■ [IV] (p; T*). 

Also observe that the property above cannot be expressed in the logic EHS 
considered over point-based ISRL either. So over point-based ISRL we have that 
EHS re % EHS 
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In terms of limitations, note that EHS re can only express properties of finite 
intervals. For example, the CTL property AFp expressing the fact that each 
infinite path satisfies p at some point cannot be encoded by any EHS re formula. 
Therefore CTLK % EHS re ; similarly we have LTLK % EHS re . 

Since EHS re does not allow us to name actions explicitly, we have that 
E-PDL % EHS re . It can also be shown that EHS re g E-PDL, since E-PDL 
cannot express the property ( A)(Ki(pq*r)) as the epistemic modalities in E- 
PDF is based on states rather than time-intervals. 

5 The model checking problem 

We now investigate the complexity of the model checking problem for fragments 
of the logics explored so far. 

Definition 7. Given a formula p of a logic L, an ISRL IS and an interval I , 
the model checking problem for L amounts to checking whether or not IS, I \= p. 

In establishing the above, we say we have model checked M against the 
specification ip at an interval I. Notice that the formula is verified only in the 
given interval; however, one can easily check whether all the initial intervals 
satisfy a formula p by checking whether M, sq |= [A\p. 

The ABLN fragment of EHS + , denoted as EHS^g LAr , is the subset of EHS + 
where the BNF is restricted to the only modalities Ki , Cr , (A), (B ), (L) and (TV). 
Similarly, the BDE fragment of EHS + , denoted as EHS^^, is the restriction 
of EHS + to the modalities Ki, Cr, (B), ( D) and ( E). 

Theorem 2. Model checking ISRL against EHS^ de specifications is decidable 
and PSpace- complete. 

The above follows from the fact that the satisfaction can be determined by 
examining only intervals of bounded length. The proof is in the appendix. 

Theorem 3. Model checking ISRL against EHS^ eln specifications is decidable 
in non-elementary time. 

We prove this by generalising the proof of Theorem 13 given in |24| . 

A top-level sub-formula of a formula p is a sub-formula of p of the form Xp', 
for some modality X of EHS^g iJV , that is not in scope of any modality. Assume 
an ISRL IS. Let f IS {p ) be defined recursively as 

f IS (p) = (2|G| 2 H 2 |a(9)i ) -2 /JS(¥,i) •... -2 fIS{ipk) 

q€ Var 


where X\p\, ..., XkPk are the top-level sub-formulas of p. The idea is that 
f IS {p) is an upper bound on the number of different interval types w.r.t. p\ an 
interval type consists of an information whether an interval is a point interval 
or not (hence 2), what are its endpoints (hence |G| 2 ), what are the states of 
the automata corresponding to the regular expressions after reading the interval 
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(hence the product) and types of intervals related to the interval w.r.t. the top 
level sub-formulas of ip (hence the recursive part). 

We define a bounded satisfaction relation |=b for EHS^ LJV , for which the 
decidability of the model checking is straightforward. The rules (i’-vi’) of the 
definition of \=b are the same as the rules (i-vi) from Definition U] except that 
|= is replaced with \=b- The last rule, however, is different: 

(vii’) M,I | =b (X)ip if and only if there exists an interval I' such that |/'| < 

|/| + f IS (tp), IRxI' and M, I' \=b where X is A , B, or N. 

It is not hard to see that model checking is decidable for the bounded seman¬ 
tics. It turns out that in the EHSW /V case, the relations |= and \=b are the 
same, and therefore the model checking procedure for the bounded semantics 
solves the model checking problem for the unbounded semantics. All the details 
are in the appendix. 

By employing the polynomial time reductions of Theorem [1] we can show 
that model checking point-based ISRL against BDE fragment of EHS re speci¬ 
fications is PSPACE-complete and that model checking point-based ISRL against 
ABLN fragment of EHS re specifications is decidable. 

6 Conclusions and Future Work 

Temporal logic is one of the key foundational tools to reason about computing 
systems. Several variants of temporal logics have been studied, reflecting the 
underlying assumptions on the temporal flow, ranging from linear to branching 
and from discrete to continuous. Interval temporal logics mm are a relatively 
less explored variant of temporal logic. As is known, these are particularly appro¬ 
priate to study the properties of continuous processes. However, while interval 
temporal logics could provide a formal basis for systems verification, little is 
known in terms of their model checking problem. Indeed, this was only recently 
explored in |22]|24[[28| in the context of variants of the logic HS. 

Since the complexity of the model checking problem for HS fragments is typ¬ 
ically high and the decidability of the full HS logic is not known, a compelling 
avenue of research involves establishing whether the expressivity of previously 
studied, well-behaved fragments of HS can be significantly enriched without los¬ 
ing the attractiveness of their model checking problem. The logic EHS + , pro¬ 
posed in this paper, combines the interval temporal logic HS and epistemic logic. 
The logic can be see as a considerable generalisation of the logics proposed in [2? 
and [25]. Specifically, EHS + can express properties of complex processes consist¬ 
ing of many stages, even if the processes are repeating or overlapping. Regular 
expressions allow to express further properties not explored here. 

We showed that the model checking for the BDE fragment of EHS + is decid¬ 
able and PSPACE-complete, and that the model checking problem for the ABL 
fragment of the logic is decidable. While the complexity is the same as that for 
the EHS logic in [Mj, EHS + is considerably more expressive. 

Further ahead we intend to study more expressive fragments of EHS + . We 
believe that the technique presented here can be extended to backward modal¬ 
ities, such as (A), ( D ), ( E ), ( L) and (N). However, more investigations are 
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required, since in the case of backward modalities one cannot simply disregard 
the histories. 

A further open problem is the decidability of any fragment involving the 
modality O. In a sense, O is the hardest case of all operators. Indeed, is known 
that the satisfiability for the O fragment of HS is undecidable [5]. Since O can 
be expressed using B and E [T3], we cannot show the decidability of the join of 
the fragments studied in this paper ( ABBDELN ) without proving it for O. 

Finally, we are interesting in implementing an efficient model checking toolkit 
for EHS re specifications. We intend to develop more efficient algorithms on sym¬ 
bolic representations and a suitable predicate abstraction technique for EHS re . 
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A Sketch of the Proof of Theorem |T] 

Roughly speaking, functions / and f just move the regular expressions from 
the labelling to the formula and the other way round. Function / is such that 
/( X,p) = (X',p'), where A '(g) = g for all the states s and p' is the result of 
replacing each propositional variable q in p by 9- Function /' is such 

that /'(A', p') = (A, p), where for each regular expression r in <p ', we replace r 
by an unique propositional variable q r and we put A (q r ) = X' o r. It is readily 
verifiable that both functions are as required. 

B Proof of Theorem [2] 

Proof. The lower bound follows from the lower bound for the endpoint-based 
variant of ISRL that was shown in [22] for the same syntax. 

For the upper bound, we consider an alternating algorithm [ TO] working in 
polynomial time. Since APTime=PSpace, the theorem follows. Algorithm |T] 
reports the procedure VER-BDE that solves the model checking problem. Its 
complexity follows from the fact that each existentially or universally selected 
interval has the size bounded by the size of the initial interval. □ 


Algorithm 1 The model checking procedure for EHS^^. 

1: procedure VER-BDE(M, I, p) 

2: if p = p then return g(I) G Lang(X(p)) 

3: if p = pi then return pi(I) 

4: if tp = -i ip' then return -iVER-BDE(M, I , tp') 

5: if p = pi A (f2 then return VER-BDE(M, /, t/ 2 i)AVER-BDE(M, I, ipf) 

6: if p = Kiip' where i G A then 

7: universally select J such that J I 

8: return VER-BDE(M, J, ip') 

9: if p = Cgp' where GCA then 

10: universally select J such that J ~<y I 

11: return VER-BDE(M, J, p') 

12: if p = Xp' where X G {( B ), (D ), ( E )} then 

13: existentially select J such that IRxJ 

14: return VER-BDE(Af, J, p') 


C Proof of Theorem [3] 

Observe that ( L) can be defined in terms of (A): for any p, (L)p = ( A)(-ipi A 
( A)p ). Given this, in what follows we assume that the formulas do not contain 
( L). We now define some auxiliary notions. 
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For convenience, for each modality X of EHS+g ijv , we define a relation R\ 
as follows: R(a) = Ra > R{B) = -Rbi =~» and Rc G =~G- 

Theorem 4. Model checking ISRL under bounded semantics against EHS^^ LN 
specifications is decidable. 


Algorithm 2 The model checking procedure for EHS^ /V . 

1: procedure VERIFY(M, I, p) 

2: if ip = p then return I £ Lang(\(p)) 

3: if p = pi then return pi(I) 

4: if p = -up' then return -tverify(M, I, p') 

5: if p = pi A p >2 then return verify(M, I, pi) A verify(M, I, ip 2 ) 

6: if tp = K^' where i £ A then 

7: for all J s.t. / J do 

8: if “i VERIFY (M, J, p') then return false 

9: return true 

10: if p = Cap' where GCA then 

11: for all J s.t. / J do 

12: if ->verify(M, J, p') then return false 

13: return true 

14: if p = Xp' where X £ {(A), ( B )} then 

15: for all J s.t. IRxJ and | J\ < f(p) + |/| do 

16: if VERIFY(M, J, p') then return true 

17: return false 


Proof. The procedure VerifyQ given in Algorithm [2] solves the model check¬ 
ing problem. Clearly, it always terminates and its computation time is non¬ 
elementary. □ 

Our crucial theorem says that the bounded semantics is basically the same 
as the unbounded one. 

Theorem 5. Given an EHS^g LN formula p, a model M , and an interval I, 
M, I \= p if and only if M, I \=b p. 

Proof. Consider a model M = (S, so, t, A). For each p £ Var we denote 

by A p the minimal deterministic finite state automaton m recognising the 
language Lang(\(p)). By A w (p) 1 where p £ Var, we denote the state of A p after 
reading a word w; in the following, we treat A w as a function from Var to 
automata states. 
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Definition 8 (Modal Context Tree). Given a model M, the modal context 
tree of an interval I w.r.t. an EHSf^ LN formula ip, denoted by MCTf, is 
the minimal unranked tree with labelled nodes and edges defined recursively as 
follows. 

— The root of the tree is labelled by the tuple g(first(I)), g(last(I)),pi(I), Ai. 

— For each top-level sub-formula Xip of <p and each interval I' such that IR\I', 
the root of MCTf has an Xip-successor MCTf, (X indicates the labelling 
of an edge). 

In other words MCTf contains sufficient information about all the intervals 
that need to be considered to determine the value of p in I as well as the states 
of the automata after reading I. 

Example 2. Consider the ISRL IS ex from Example [TJ the formula p = Kopi A 
-i {A)p, and an interval I = g\. 

To build the modal context tree, we use the automaton for A (p) presented in 
Figure [1J 



5i,5i,T 53 , 53 ,T gi,gi,T g±,g 3 ,± 

{ijP,z 2 )} {(p,z_l)} {{p,z 1 _)}{(p,z 2 )} {{p,z 3 )} 



Fig. 4: A minimal 
automaton for 

5l(5l +S2)*53- ~3 is 

the only accepting 
state. 


Fig. 5: MCTf from Example [5J The omitted (A)p suc¬ 
cessors are labelled by: gi, g 2 , _L, {{p, z 2 )}- 51, 51, T, 
{(p,z 2)}; 5i> 9 i> J-) {(P,z±)}; 5i) 52, -L, {(p,z_ l)}; 51, 
52, -L, {( P,z ±)}. 


The top level sub-formulas of tp are Kppi and (A)p. MCTf (Figure [5j) 
represents I. Notice that there are infinitely many Ra successors of I , but 
MCTf needs only 7 (A)p-successors. For example, the successor labelled by 
<71 , g 2 , -L, {(p, z 2 )} represents all the intervals I such that g(I) is of the form 
5i(5i + 52 )*- 

We now show that the number of modal context trees for a given formula is 
bounded. We will use this later as a kind of pumping argument and show that is 
an interval is long enough, then some of its prefixes have the same modal context 
tree. 
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Lemma 1. Given a model M and a formula p, \{MCTf \ I is an interval in M} \ 

< f IS {v)- 

Proof. We show the lemma by induction on ip. Clearly, if a formula has no 
modalities, then {MCTf \ I is an interval in M} contains trees with only one 
node, that can be labelled with 2|G| 2 Y\ q< zy ar different labels. 

Consider a formula p with the top-level sub-formulas X\ p\ , ..., XkPk- Each 
tree for p consists of one of 2|G| 2 TlqeVar 2l A ^^ possible roots and, for each i, 
any subset of subtrees for p t . Therefore, \{MCTf | I is an interval in M}\ < 
2|G| 2 U q& var 2l A («)l2/ JS (^)... = f IS {p). □ 

We show that the modal context tree does not depend on the histories. 

Lemma 2. Consider a model M = (S, so> t, {~i}ieA, A) and a formula p. If I 
and I' are intervals such that g(I) = g(I'), then MCTf = MCTf. 

Proof. We show this by induction. 

The roots of MCTf and MCTf have the same labels, since g(firstfl)) = 
g{first{I')), g(last(I )) = g(last(I')), pi(I ) = pi(I') and the labelling is defined 
on g(I). 

Consider a (X) ^'-successor T of the root of MCTf, where (X)p' is a top-level 
sub-formula of p and X £ {A,B,N}. There is an interval J such that IRxJ 
and MCTf = T. So there exists a J' such that I'RxJ' and g(J) = g(J'), 
because X is a “forward modality” so the Rx successors of /' do not depend on 
the history. By the inductive hypothesis, MCTf = MCTf, , and therefore the 
roots of MCTf and MCT^p have the same (X)p' successors. 

As for the Xp' successors where X is an epistemic modality, it is enough to 
observe that IRxI', and therefore / and /' are related to the same intervals by 
the equivalence relation Rx ■ The lemma follows. □ 

Now we argue that if two intervals have the same modal context tree w.r.t. 
p, then either both satisfy p or none of them. 

Lemma 3. Consider a model M = (S', soj t, {Wilier, A) and a formula p. If I 
and /' are intervals such that MCTf = MCTf, then M,I \= p if and only if 
M,I'\=p. 

Proof. We show it by induction on p. 

Case 1. p = p for some variable p. The root of the MCTf is labelled by the 
state of an automaton corresponding to A(p) after reading /, and the root of 
the MCTf is labelled by the state of an automaton corresponding to A {p) after 
reading I'. Since the two trees are equal, the automaton is in the same state in 
both cases, either accepting or rejecting, and therefore M , I \= p if and only if 
M, P \= p. 

Case 2. p = pi. The root of the MCTf is labelled by pi(I), and so is the root 
of MCTf, and therefore pi(I) = pi(I'). 

Case 3. p = —>p'. By the inductive assumptions, M,I |= p' if and only if 
M, I' \= p', so M, I |= p if and only if M, /' \= p. 
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Case A. ip = ipi /\ ip 2 - By the induction assumption, M, I \= p\ if and only if 
M, I' 1= p\ and M, I \= p 2 if and only if M, I' \= P 2 , so M, I \= p if and only if 
M, /' 1= p. 

Case 5. p = Kip'. Assume that M, I (= p. Consider any interval J' such 
that /' J'. By definition, in the tree MCTf, the subtree MCTf is a Kip'- 
successor of the root. It follows that in the tree MCTf (=MCTf), MCTf, is a 
Kip '-successor of the root. Let J be such that I ~j J and MCTf, = MCTf . 
Clearly, since M,I |= p, M, J \= p'. By the inductive assumptions, M, J' \= p'. 
Therefore M, I' \= p. 

Case 6. p = Cap'■ Assume that M,I |= p and J' is such that /' J'■ 
Again, in MCTf, the subtree MCTf, is a Cq (//-successor of the root. It follows 
that in the tree MCTf, MCTf, is a Cq (//-successor of the root. Let J be such 
that I J and MCTf, = MCTf , then M,J \= p', and by the inductive 
assumptions, M, J' \= p'. Therefore M,I' \= p. 

Case 7. p = ( A)p We have M,I \= (A)p' if and only if there is an interval 
J starting in last(I) satisfying p’. Since g(last(I)) = g(last(I')), the intervals 
starting from last(I) and last(I') are the same (modulo histories), and therefore 
there exists an interval J' starting in last(I') such that g( J) = g{J')- By Lemma 
El it follows that MCTf' = MCTf. 

Case 8. p = ( B)p'. Assume that there is an interval J such that IRgJ and 
M, J f= p'. Then, MCTf is an (B)p' successor of the root in MCTf, and so 
in MCTf. So there is an interval J' such that I'RgJ' and MCTf = MCTf,. 
By the inductive hypothesis, M, J' |= p' and therefore M, I' |= p. 

Case 9. p = (N)p'. This can be shown similarly to Case 7 for (A)p'. □ 

As we remarked earlier, if an interval / is long enough, then / has two prefixes 
with the same modal context tree w.r.t. a formula p. Intuitively speaking, we 
would like to replace the longer prefix by the shorter one, thereby obtaining an 
interval V, and show that the modal context trees of I and I' are the same. 
By the above lemma, it would follow that they both satisfy the given formula. 
What remains to be proved is that if we have two prefixes with the same modal 
context tree, and we append the same interval to both, the results will also have 
the same modal context tree. 

We use the following terminology. A partial state is a sequence of states 
g\ ... Qk such that for all i < k, we have 1 )- Each state of the model 

is a partial state; but partial states are not required to start at go- A partial 
interval is a sequence Si... Sk of partial states such that for each i < k we have 
that Sj + i = Sigt for some partial state g,;. A partial interval I = s±... Sk is clear 
if si = g for some partial state g. We extend the functions first, last , and g and 
the other notions to partial intervals in the obvious way. 

We define the operation of adding context to partial intervals as follows. 
Given a partial interval I and a clear partial interval I 1 = s±... Sk where 
t G (g(last(I)), g (first (/'))), by I® I' we denote the partial interval Is\ .. .Sk such 
that for each i we have that Sj = last(I)si. So © joins two intervals in a way that 
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accounts for the history of the partial states. Clearly, I ® /' is an interval if and 
only if / is an interval. We also define the operation o such that Jo /' = si... Sk, 
i.e., it only returns the adjusted partial states of I'. 

Lemma 4. Consider a model M, a formula p, two intervals 1,1', and a partial 
interval J. If MCTf = MCTj, and t G (g (last (I)), g (first (J))), then MCTfJj = 
MCTf, mJ . 

Proof. Consider a formula ip, a model M , two intervals J, /' and a partial state 
s = g such that t G (g(last(I)), g ). We show that if MCTj = MCTj, then 
MCTj os = MCTj 0 . The consideration above can be used to prove the lemma 
by induction. 

Assume that the root of MCTj is labelled by f, l, pi, Ai . Then the roots of 
both MCTj oa and MCTj os are labelled by f, g, _L, A, where for each p G Var 
we put A(p) equal to the state that the automaton for p reaches from Ai(p) 
after reading g. 

Assume that X\p\, ..., XkPk are the top-level sub-formulas of p and i £ 
{1,..., k} (if there are no such formulas, then the result follows directly). We 
show that for each i, the roots of MCTj s and MCTf, have the same Xppi~ 
successors. 

Case 1. Xi is an epistemic modality. Consider any interval J such that / ® 
sR Xz J. Let J = J'@a'. By the definition, J'RxT and sRxiS'. By the former, we 
have that MCTj? is an Xi (/^-successor of the root in MCTj^ s , and so MCTj? is 
an Xi (/^-successor of the root in MCTf,. So there is J"RxA' such that M CTj' = 
MCTj',. Therefore, J" © s' Rx,!' © s, and thus MCTj' is the Xi ^-successors 
of the root of MCTfi^ s . 

Case 2. Xi = (A). Consider any interval J such that I © sRaJ■ Then there 
is a clear partial interval J such that J = I o J. Let J' = J' o J. It holds that 
J' o sRaJ’■ By Lemma [H we have MCTj' = MCTj,'. 

Therefore, the (A) ^-successors of the root in MCTf^ s are also (A) ^-successors 
of the root in MCTf,^ s . The other direction is similar. 

Case 3. X, = ( B). Consider any interval J such that / © sR§J. Then, there is 
a clear partial interval J such that J = (I © s) © J. 

Let J' = (/' © s) © J. It holds that J' © sRgJ’. By Lemma O we have 
MCTJ* = MCTJ?. 

Again, we conclude that the (B)tpi -successors of the root in MCTf^ s are the 
same as (J?) (^-successors of the root in MCTf^ s . 

Case 4. Xi = (N). The proof is similar to the one of Case 2 for Xj = (A). □ 

By exploiting the Lemma above, we can now give the main result of this 
section. 

The proof of Theorem [5] is by induction on the structure of tp. 

The cases for ip = p, ip = pi, p = ->p', p = p\ A pi, p = K,p ', and p = Cep’ 
for some sub-formulas p', p\, pi, follow from the fact that the semantic rules are 
the same in both semantics. 
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Assume that p = Xp' for some p', and X £ (A), ( B }, (TV). If M,I \=b p, 
then there is an interval /' of bounded size such that M,I' \=b p' and IRxI' ■ 
By the induction hypothesis, M, I' \= p' and therefore M, I \= p. 

If M,I \= p, then there is an interval /' such that M,I' \= p' and IRxI'- 
Let I' be the shortest possible interval with this property. We show that |/'| < 
\i\ + f IS (<P). 

Let I' = si... St and I' k denote the prefix s±... Sk of I'. Assume that |/'| > 
|/| + f IS (p'). By Lemma U there are two prefixes I' k , I[ such that \I\ < k < l 
and MCTf! = M CT'f, . 

1 k 2 l 

Let J be a clear partial interval such that /' = I[ © J. By Lemma |4j we 
have that MCTf, = MCTf l(BJ Clearly, \I k © J| < |/'| and, by Lemma O 
M, I k © J |= p'. Since k > |/|, it follows that IRxI k © J (the condition k > |/| 
is only required for (B) since J has to contain I as a prefix). But we assumed 
that /' was the shortest interval; so this is a contradiction. It follows that /'| < 
\I\ + f IS (p). □ 

Finally, the proof of Theorem [3] goes as follows. By Theorem El the bounded 
semantics and the unbounded semantics are equivalent. By Theorem [H model 
checking the ABLN fragment of EHS + with bounded semantics is decidable. 
Therefore, model checking the ABLN fragment of EHS + with unbounded se¬ 
mantics is also decidable. Indeed, the procedure Verify given in Algorithm [ 2 ] 
solves the problem. 


